Enterprise Risk Management Cursus Good Governance Leidraad naar Commissariaat Verhouding tussen commissarissen en acountants Steven Martina 17 Januari 2009
Why is ERM important? ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
Enterprise Risk Management “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. Enterprise risk management requires an entity to take a portfolio view of risk.
The COSO Framework The COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
The ERM Framework ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes Requires an entity to take a portfolio view of risk.
The ERM Framework Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance
The ERM Framework The eight components of the framework are interrelated … Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture. Objective setting Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. Event Identification Differentiates risks and opportunities. Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile. Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives. Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis Risk Response Identifies and evaluates possible responses to risk. Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses. Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls. Information & Communication Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization. Monitoring Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two
Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture.
Objective Setting Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
Event Identification Differentiates risks and opportunities. Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
Event Identification Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile.
Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives.
Risk Assessment Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis.
Kern Vragen Risk Assessment Waar/Wat kunnen we verbeteren? Waar wringt de schoen? Wat gaat er fout? Welk proces betreft het? Waar lopen we risico’s? Wat is het risico? Wat is de oorzaak? Wat zijn de gevolgen bij ongewijzigd beleid? Hoe kunnen we het risico kwalificeren? Hoe kunnen we het risico het beste beheersen? Wat moeten we daarvoor doen? Hoe is de kosten / baten verhouding? Hoe kunnen we de vereiste actie het beste aansturen? L H Probability / Impact L H
RISK IMPACT ASSESSMENT SCORE 1 2 3 4 5 6 7 8 9 10 LOW MEDIUM HIGH MARKET POSITION Remaining market position Drop from nr.3 to nr.4 position Drop from nr.3 to nr.5 position EBITDA Loss less than 1% compared to budget Loss between 1% and 10% compared to budget Loss more than 10% compared to budget GROWTH Losing less than 1% growth target Losing between 1 and 3% growth target Losing more than 3% growth target REPUTATION No negative press Limited negative press; regulator warning Excessive negative press; regulator sanction CI-VERA 2009 Curacao Accountants in Business 17
Risk Response Identifies and evaluates possible responses to risk. Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses.
Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls.
Information & Communication Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization.
Monitoring Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two. Monitoring helps determine the effectiveness of the processes, technologies and personnel executing enterprise risk management. The entity establishes minimum standards for each component of enterprise risk management. The entity’s performance against these standards can then be monitored objectively. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some degree. Ongoing monitoring is built into the normal, recurring operating activities of an entity. Ongoing monitoring is performed on a real-time basis, reacts dynamically to changing conditions and is ingrained in the entity. As a result, it is more effective than separate evaluations. The greater the degree and effectiveness of ongoing monitoring, the lesser need for separate evaluations. The frequency of separate evaluations is a matter of management's judgment. In making that determination, consideration is given to the nature and degree of changes occurring, from both internal and external events, and their associated risks; the competence and experience of the personnel implementing risk responses and related controls; and the results of the ongoing monitoring. Usually, some combination of ongoing monitoring and separate evaluations will ensure that enterprise risk management maintains its effectiveness over time. Deficiencies in an entity’s enterprise risk management may surface from many sources, including the entity's ongoing monitoring procedures, separate evaluations and external parties. All enterprise risk management deficiencies that affect the entity’s ability to develop and implement its strategy and to achieve its established objectives should be reported to those who can take necessary action, as discussed in the next section
Information and Communication Risk Management (the embedding) SWOT/PEST TQM ERP COSO project EH&S 6 SiGMA Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY - LEVEL DIVISION BUSINESS UNIT SUBSIDIARY Co2/GhG SOX Loss Preventiion Performance system Newsletters + websites Corp. Planning Risk appetite . IA .Budget + Profit Plan 6 SiGMA Policies + Procedures Guides BSC Customer Continuous monitoring feed back COBIT for IT Internal Audit L. Hubbard (ed.) 22
Internal Control Environment Risico-indeling Fatum Internal Control Environment Strategic Risks Operational Risks Financial Risks Concentratie Krediet Liquiditeit Interest Valuta Mismatch Solvabiliteit Verz. tech. reservering. Herverzekering Fiscaal Externe verslaglegging Interne informatie voorziening Strategie ontwikkeling Strategie planning Strategische sturing Processen ICT Projectmanagement Info beveiliging Interne fraude Compliance Klachtenmanagement Juridisch Veiligheid Business continuity Cultuur intern Risicomanagement (quality) Org. Structuur Personeel (quality) Reporting Risks Extern Environment Externe criminaliteit Zakelijke omgeving Het is niet de bedoeling om per risico 1 verantwoordelijke aan te wijzen voor 1 specifieke risico.
ERM – Risk Hierarchy REPUTATIONAL RISK STRATEGIC RISK MARKET RISK CREDIT RISK OPERATIONAL RISK
RM can/should be about more than audit Value added for insurer Insurance & Compliance Core risk management Risk-return optimisation VII “Decision making across firm is linked to building economic value” → Risk adjusted resource allocation at all levels “We need to know the economic impact of our largest risks” → Specific risk quantification VI “We need a sustainable process for monitoring all our risks” → Qualitative RM “Shareholders demand a risk/return framework” → Risk and growth appetite defined, risk dynamically measured and aggregated properly “Risk management equals buying reinsurance” → Risk transfer via reinsurance IV III V I “Risk needs to be quantified comprehensively” → Over-control by centralized risk management, initial quant models too primitive II “Regulators are demanding risk management activities” → Over-reliance on ‘checklists’, false sense of security Stages of development
CI-VERA 2009 Curacao Accountants in Business VOB VOC VOR CI-VERA 2009 Curacao Accountants in Business 26
De chaotische werkelijkheid In werkelijkheid een bizar en chaotisch geheel van activiteiten Anticiperend op de positieve en negatieve aspecten van risico Allerlei risico indelingen Ontelbare verschillende perspectieven Soms goed op elkaar aansluitend Soms ook niet Soms elkaar zelfs onderling uitsluitend
THE PROCESS
Initiation Assessment Monitoring Control Audit Committee Risk Probability Impact L M H L M H Audit Committee Risk Assessment MT Risk Corrective Action yes Internal Audit no yes Management Considered in Control External Audit no Het gestructureerd identificeren en inventariseren, het analyseren en kwantificeren en het beheersen van risico’s. Risico’s worden gemonitord en over risico’s wordt gerapporteerd. Risk Management maakt Fatum aantoonbaar beter in control over hetgeen binnen het bedrijf gebeurt. Risk Sessions yes no Impact >= “M” Probability >= “M” Risk Life Cycle In Control ? Request
RISK AND REWARD ARE INSEPARABLE. THE TWO TOGETHER MAKE A PERFORMANCE VALUABLE OR NOT! 30
Most Risks do have a Reward! 31